Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The above payloads. The presence of the file c:\windows.dat.

Methods of Infection

Opening infected documents will directly infect the local Word environment and any document used thereafter.

The virus will export its code to c:\windows.dat. This file is not infected. The virus contains a payload for each day of the month.

If day is 1st of any month, the virus will insert the following message into the document: Alamat brought to you by Lucky Warrior

If day is 2nd of any month, the virus will disable the Table menu bar.

If day is 3rd of any month, the virus will disable the Help menu bar.

If day is 4th of any month, the virus will delete c:\*.*.

If day is 5th of any month, the virus will delete the following AV files

C:\progra~1\Drsolo~1\Anti-V~1\*.*

C:\Program Files\Norton~1\*.*

C:\progra~1\mcafee\viruss~1\*.*

c:\progra~1\pc-cil~1\*.*

If day is 6th of any month, the virus will delete c:\Windows\*.*

If day is 7th of any month, the virus will save the document with the password = Alamat

If day is 8th of any month, the virus will insert the following text into the document: Your're infected with the Alamat virus! and then print it out.

If day is 9th of any month, the virus will edit the registry key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner" = "Lucky Warrior"

If day is 10th of any month, the virus will delete c:\Windows\*.* and c:\Winnt\*.*

If day is 11th of any month, the virus will delete characters.

If day is 12th of any month, the virus will add the hyperlink https://www.playboy.com to the document.

If day is 13th of any month, the virus will display the message "Ms Word is suffering from unknown virus!"

If day is 14th of any month, the virus will edit the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon, "LegalNoticeCaption" = "Lucky Warrior" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon, "LegalNoticeText" = "Welcome to the world of Alamat!"

If day is 15th of any month, the virus will replace all occurances of "of" to "Alamat". It will also delete the Edit/Replace menu bar.

If day is 16th of any month, the virus will disable the Office Assistant and the cursor.

If day is 17th of any month, the virus will change the Word Application caption to Alamat

If day is 18th of any month, the virus will disable the File menu bar.

If day is 19th of any month, the virus will exit Word Application.

If day is 20th of any month, the virus will delete c:\Progra~1\System\*.*

If day is 21th of any month, the virus will disable the Edit menu bar.

If day is 22th of any month, the virus will disable the View menu bar.

If day is 23th of any month, the virus will disable the Insert menu bar.

If day is 24th of any month, the virus will disable the Format menu bar.

If day is 25th of any month, the virus will delete the following AV files

C:\progra~1\Drsolo~1\Anti-V~1\*.*

C:\Program Files\Norton~1\*.*

C:\progra~1\mcafee\viruss~1\*.*

c:\progra~1\pc-cil~1\*.*

If day is 26th of any month, the virus will exit Windows.

If day is 27th of any month, the virus will delete the following AV files

C:\progra~1\Drsolo~1\Anti-V~1\*.*

C:\Program Files\Norton~1\*.*

C:\progra~1\mcafee\viruss~1\*.*

c:\progra~1\pc-cil~1\*.*

If day is 28th of any month, the virus will edit the following user details : UserName = "Lucky Warrior", UserInitials = "LW" and UserAddress = "Bgy. Tiguib, O.E.S."

If day is 29th of any month, the virus will disable the Window menu bar.

If day is 30th of any month, the virus will delete c:\Windows\*.* and c:\Winnt\*.*

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.